lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031030015849.6502.qmail@sf-www3-symnsj.securityfocus.com>
Date: 30 Oct 2003 01:58:49 -0000
From: Graham Morley <GMorley_Public@...stclass.com>
To: bugtraq@...urityfocus.com
Subject: Re: FirstClass 7.1 HTTP Server: Remote Directory Listing


In-Reply-To: <fc.00802e600021e6b400802e600021e6b4.21e717@...m.org>

>FirstClass 7.1 HTTP Server allow the listing of all files under the web
>root directory and user web directories.

While this statement is correct, it is not a bug, but rather a misunderstanding/misconfiguration of the FirstClass system by the reporter.  The base web folder and user personal web folders are all intended as public data repositories. Anything placed in them is universally accessible by default, unless they are placed in conferences (FirstClass' ACL protected containers) with appropriate permissions set.  This is all by design in order to make web publishing as easy as possible for users and new administrators.  Note that, in the out of the box configuration, no sensitive information is available in any of these folders.

As stated, private portions of a web site can easily be created by creating FirstClass conferences under the WWW folder (or a user's homepage folder) and setting their permissions (search included) to only allow authenticated users (or subsets thereof) to access the content in them.  Alternatively, if the search function is really not desired, it is extremely easy to disable by accessing the "Unauthenticated Users" privilege group (in the "Groups" folder on the administrator's desktop) and turning off the search privilege.  However, do not allow the disabling of unauthenticated search functionality to lull you into a false sense of security regarding your data.  If you have placed it in a public folder, it remains accessible to anyone who knows how to get at it.  The safest thing to do with sensitive information is to not put it in a public place.

>This vulnerability can disclose a huge amount of information about the
>servers setup which will aid attackers in exploiting further holes in the
>server.

This so-called "vulnerability" exposes *no* information about the site that is not already available, since any information turned up in this fashion is already in the public domain.  What this really hilights is the poor security policy put in place by the site administrator if they have recklessly placed sensitive information in a public place.

------------------------------------------------------------------------Graham Morley
Developer, Internet Services Team
Open Text Corporation Messaging Division
Please visit our web sites:
 - Open Text:  www.opentext.com
 - Messaging Division: www.firstclass.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ